470,870 Members | 1,387 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,870 developers. It's quick & easy.

stripslashes() and htmlspecialchars() problem!

If $val is the following:

....Just revamped the site's Content Management Application I built.. so do
bear in mind.. sorry!

Phil
stripslashes(htmlspecialchars($val)) should produce the following, or so I
thought:

<input type=hidden name=alert value="...Just revamped the site's Content
Management Application I built.. so do bear in mind..
sorry!&lt;br&gt;&lt;br&gt;Phil">

Instead, I get:

<input type=hidden name=alert value="...Just revamped the site\'s Content
Management Application I built.. so do bear in mind.. sorry!

Phil">

What combo of stripslashes() and htmlspecialchars() do I use to ensure I get
a single-line entity from an HTML textarea value that could have anything in
it, plain and simple?

Phil
Jul 16 '05 #1
2 7873
"Phil Powell" <so*****@erols.com> wrote in message
news:F1gWa.130$cf.29@lakeread04...
If $val is the following:

...Just revamped the site's Content Management Application I built.. so do
bear in mind.. sorry!

Phil
stripslashes(htmlspecialchars($val)) should produce the following, or so I
thought:

<input type=hidden name=alert value="...Just revamped the site's Content
Management Application I built.. so do bear in mind..
sorry!&lt;br&gt;&lt;br&gt;Phil">

Instead, I get:

<input type=hidden name=alert value="...Just revamped the site\'s Content
Management Application I built.. so do bear in mind.. sorry!

Phil">

What combo of stripslashes() and htmlspecialchars() do I use to ensure I get a single-line entity from an HTML textarea value that could have anything in it, plain and simple?

Phil


Hi Phil,

Just a guess (since this doesn't look like a complete code listing), but are
you picking up the return value, or are you trying to use the string as if
it were passed by reference? This worked for me as long as I displayed the
return value:

$dirty_string = 'Hello. <script
type="text/javascript">window.open("format_hdd.php");</script>';
$clean_string = stripslashes(htmlspecialchars($dirty_string));
echo $dirty_string, '<br />--Becomes--<br />', $clean_string;

Coming from Perl, I've made this mistake plenty in PHP.

HTH,
Zac
Jul 16 '05 #2
"Phil Powell" <so*****@erols.com> wrote in message
news:YFjWa.926$cf.849@lakeread04...
This ended up working for me instead:

foreach ($HTTP_GET_VARS as $key => $val)

if (!in_array($key, $cmaExceptionArray)) {
$val = str_replace("\n\r", '<br>', $val);
$val = str_replace("\n", '<br>', $val);
$val = str_replace("\r", '<br>', $val);
array_push($formQSDupArray, $key); // ADD HERE BEFORE YOU GO TO FORM
PART
echo "<input type=hidden name=$key value=\"" .
stripslashes(htmlentities($val, ENT_COMPAT)) . "\">\n";
}
}

Although I wish I could find a more elegant solution than that.


You can use nl2br to put in your own HTML breaks:

$val = nl2br($val);

This alleviates using three str_replace calls. However, if you want to
still use a replacement method (which drops newlines/returns), I use this
method:

$val = preg_replace('/\n(\r)?/', '<br />', $val);

It might make your code more readable if you do all of your filtering at
once using a function call:

function input_filter($input) {
return(
stripslashes(
htmlentities(
//Add a non-breaking space to sentence spaces.
preg_replace('/ {2}/', '&nbsp; ',
//Replace all newlines
// (with optional carriage returns)
// with <br /> tags.
preg_replace('/\n(\r)?/', '<br />', $input),
),
ENT_COMPAT
)
)
);
}

Then,

$val = input_filter($val);

This should "clean up" a little bit of the code within your loop. This
reduces string filtering to a single line of code, so all you're doing
otherwise is just your form tracking.

HTH,
Zac
Jul 16 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by lawrence | last post: by
3 posts views Thread by SoulSniper | last post: by
1 post views Thread by brianj | last post: by
4 posts views Thread by Dave Moore | last post: by
4 posts views Thread by Terry | last post: by
2 posts views Thread by universalbitmapper | last post: by
6 posts views Thread by Sergei Riaguzov | last post: by
omerbutt
23 posts views Thread by omerbutt | last post: by
8 posts views Thread by mijn naam | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.